New Android Browser Bug Is a “Privacy Disaster” for Android Users

A Critical android vulnerability has been discovered in the browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an hacker to hijack users’ open websites, and there is now a Metasploit module available to easily exploit this dangerous vulnerability.

Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by Rafay Baloch.

The guys over at Metasploit are calling it a “Privacy Disaster,” and promising to take the time to create a video that is “sufficiently shocking” in order to show you why.

The Android bug has been called a “privacy disaster” by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is “sufficiently shocking.”

By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 said in a blog post.

What this means is any arbitrary website – say, one controlled by a spammer or a spy – can peek into the contents of any other web page,” Beardsley said. “[If] you went to an attackers site while you had your webmail open in another window, the attacker could scrape your email data and see what your browser sees.”

Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

Rafay Baloch also found the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass that allows one website to steal data from another. He then tested his findings on different devices, including Sony Xperia, Qmobile Noir, Samsung Galaxy S3, Motorola Razr and HTC Wildfire and found this flow on all.

Android 4.4, is not affected by this vulnerability, which means that as many as 75 % of Android devices and millions of Android users are vulnerable to the attack, according to Google’s own statistics

Rafay Baloch explained that an SOP bypass occurs when one website makes it way to access the properties, such as cookies, location, response etc, of the other site. “Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while,” Baloch said in a blog post.

As a responsible security researcher, Rafay Baloch reported the issue to the Google Security Team and they responded positively by assuring him that they are working on a “suitable fix.” But when it came to reward this bug hunter, they replied “We are unable to reproduce this issue though. Its possible that your OEM has modified the browser in a manner that has created this issue,” said Josh Armour of Android Security team.

Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.”

All the versions except Android 4.4 are affected by this issue and a large number of android users still are on the older versions. Worst is the creation of a module for the Metasploit penetration testing platform, which would make the exploitation of the flow much easier.

It all resides in the web browser of the Android devices, which can’t be uninstalled because it’s usually part of the operating system in-build feature. So, to protect yourself, just disable the web browser from your Android devices by going to Settings > Apps > All and looking for its icon.

By opening it, you’ll find a Disable button, Select it and disable the Browser.